The vulnerability impacts all PHP applications, not just WordPress, specifically open registration on WordPress blogs. Boren says the attack is difficult to accomplish, but WordPress would rather be safer than sorrier if this is manipulated in the future. If you allow open registration on your WordPress blog, upgrade immediately and follow the instructions in the announcement.

WordPress 2.7 is due later this fall. If you are interested in following the development of WordPress and WordPress related applications, here is a list:

I agree with John. When I read your first paragraph my reaction was, WHAT?? Ryan Boren only said “you should definitely upgrade” in the linked post; he didn’t use the terms “mandatory” and “required.” Using an expression from my neck of the woods: Get off your high horse.

Yes, and once again what I’ve been saying for a long time proves true: Every “upgrade” to wordpress comes complete with its own new set of security holes. I’d never recommend WordPress to a new user for this reason alone.

I’ve never done it this way before, but the only files I uploaded were the ones on the list of changed files you linked to, Lorelle. Then I directed my browser to the wp-admin/upgrade.php file and everything seemed to be fine. Will it be fine? As I said, I’ve never done it this way before.

Pagani: I take it you didn’t read the link? Or do you just like making stuff up? This security flaw affects phpBB and hundreds of other software packages. It was a fundamental flaw found in the way PHP seeds it’s random number generator.

I also think you’ll find that WordPress has no more security issues than any other often updated piece of software. With WordPress though, the issue is actually fixed (the random number flaw was discovered very recently) rather than ignoring it or patching it 6 months later like other packages (I won’t name names).

But anyway, you are more than welcome to go use something else or even code you’re own. I think you’ll find though you were much better off with WordPress. ;)

I am finding it impossible to upgrade from 2.5 to 2.6. My hosting is on Go Daddy – all the sites on Network Solutions upgraded without a problem. But when I upgrade to 2.6 on the Go Daddy hosting account everything seems to go well until I have to log back in after the installation. The old password does not work and I request a new password. That doesn’t work either – so I have had to go back to 2.5 just to get the site to display. Any ideas? Thanks, Chief

There are some issues, but the issues are usually found on sites that have been tweaked and experimented with – not “normal” or sites with old versions of server software and such. But for the most part, many are using it successfully. You’ll have to check the Plugin author’s site for more specific information.

Have you checked in the WordPress Support Forum for help? Did you DELETE the old files before uploading the new ones? Did you check to see if somehow your Profile setting were changed to the non-visual editor settings and change it back?

The suggestions I offered Chief are the ones I recommend. I also recommend checking the WordPress Support Forum as that is where trained and experienced volunteers and staff are answering these kinds of questions. :D

Um, yes. In fact, there was a “pirate” who publicly displayed a huge list of blogs that hadn’t upgraded and announced that he was going to go down the list and hack each of them. He actually succeeded for some on the list. He considered them “warned” and then he attacked.

It isn’t common, but it does happen, which is why it is so important to upgrade when there are security issues at stake. Just because this particular issue might only involve open registration blogs, which is a lot of WordPress blogs with open registration for comments, multiple bloggers and contributors, since this is a PHP issue, who knows what PHP you may have added to your WordPress blog by tweaking with it that might make it vulnerable. Better safe than sorry.

Check the WordPress Support Forum. So far, I’ve had none of the problems a few sites are reporting. It could be a problem with your WordPress Theme or how you upgraded. The Forum is the best place for help.